RE: UAC related errors on windows 7 64-bit with Application Verifier

[mswarna]

Thanks a lot for the solution. Worked like a charm.
Commented out the following lines of code in RAND_poll():

/*if (netstatget(NULL, LLanmanWorkstation, 0, 0, outbuf) == 0)
{
RAND_add(outbuf, sizeof(STAT_WORKSTATION_0), 45);
netfree(outbuf);
}
if (netstatget(NULL, LLanmanServer, 0, 0, outbuf) == 0)
{
RAND_add(outbuf, sizeof(STAT_SERVER_0), 17);
netfree(outbuf);
}*/

Rest is as is.

The only thing I think I know is that this would effect the randomness of
the generated random number.
But can you please tell us if the consequences of going ahead with this?
Like, what all areas will have an impact and whether this is a good solution
or not in long run or is there any alternative that we should look out for
NetStatisticsGet?




--
View this message in context: 
http://openssl.6102.n7.nabble.com/UAC-related-errors-on-windows-7-64-bit-with-Application-Verifier-tp48377p48402.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: UAC related errors on windows 7 64-bit with Application Verifier

[Michael Wojcik]

 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
 us...@openssl.org] On Behalf Of mswarna
 Sent: Friday, 31 January, 2014 08:43
 
 We would like to go for windows app certification/Microsoft client logo
 certification. One of the requirements for this is running a tool called
 Application Verifier that comes along with the certification kit. When the
 application is ran under this tool with luaPriv(UAC) related tests, 2 errors
 related to UAC were thrown. This basically tests when the user runs
 application with LUA priviliges(as standard user).

I've removed the stack trace because it's misleading (for reasons unclear to 
me). As you note below, the Windows API NetStatisticsGet is not called from 
EVP_EncodeBlock, as the trace claims, but from RAND_poll in rand_win.c.

 After going through the openssl code, root cause maybe use of LanmanServer
 and LanmanWorkstation services in netstatisticsget call as since windows
 vista they have UAC concept coming in.

More precisely, NetStatisticsGet is now reserved to administrative users. An 
application running under UAC with asInvoker will not have administrative 
privileges, and consequently cannot successfully invoke NetStatisticsGet.

I think the correct fix for this is to skip the two calls to NetStatisticsGet 
in RAND_poll if the calling thread does not have the Administrators SID in its 
token. There's sample code in the MSDN documentation for the 
CheckTokenMembership API showing how to make that test.

RAND_poll treats the output of the two NetStatisticsGet calls as contributing 
62 bytes of entropy to the pool, but since the calls fail for 
non-administrative users anyway, they're already not getting that entropy. (And 
the existing code does check for failure.)

Since RAND_poll doesn't depend on NetStatisticsGet succeeding, I believe the 
only consequence of this issue is the complaint from Application Verifier. So 
it may not be a high priority for OpenSSL developers. Therefore, you may want 
to implement the check yourself, or simply remove the calls to NetStatisticsGet 
in your own OpenSSL build.

-- 
Michael Wojcik
Technology Specialist, Micro Focus



This message has been scanned for malware by Websense. www.websense.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org